DKIM 'temperror' result in Outlook.com DMARC Reports

Freddie Leeman -

Introduction

In recent years, email administrators have been encountering unusually high rates of DKIM authentication failures in DMARC reports from Microsoft's Outlook.com. These failures are labeled temperror and signify temporary DNS lookup issues, which Microsoft has acknowledged and is working to resolve. In this post, we’ll explain what this error means, why it’s happening, and how administrators should interpret and respond to these reports.

What is DKIM and Why Does 'temperror' Appear in DMARC Reports?

DKIM (DomainKeys Identified Mail) is an essential component of email security. It uses cryptographic signatures to verify an email's authenticity and ensure it hasn’t been altered in transit. When a DKIM check fails, it’s reflected in the DMARC report.

The temperror status in DMARC reports indicates that Microsoft encountered an issue when attempting to perform a DNS lookup to validate the DKIM signature. This can occur due to various factors, such as an overburdened DNS server, a temporary connectivity problem, or, as Microsoft has pointed out, a more specific challenge in their DNS processing infrastructure.

Why Microsoft’s DKIM 'temperror' is Significant

Although a temperror typically points to a temporary issue, its frequent appearance can be problematic for email senders. A series of temperror results can distort DMARC reports, giving a misleading view of your domain’s authentication performance. While a temperror doesn't signal a permanent failure, it can still affect email deliverability. If SPF (Sender Policy Framework) fails or is misaligned, legitimate emails might be marked as unauthenticated, leading to potential delivery issues.

The Numbers Behind the Issue

Looking at recent data, over the past 90 days, 0.6% of all DMARC reports received by URIports from Outlook.com included a DKIM temperror. By comparison, Enterprise Outlook showed just 0.04%, and other DMARC report providers, like Mimecast and Yahoo, reported figures well below 0.001%.

The Bottom Line

Currently, DKIM temperror results in DMARC reports from Outlook.com don’t necessarily indicate a misconfiguration on the sender's end. The primary cause is Microsoft’s ongoing DNS resolution issues, which the company is actively working to resolve. In the meantime, you can minimize the impact of these temporary errors by ensuring your SPF passes successfully, as this will help ensure DMARC passes.

Are you curious about your domain's SPF, DKIM, and DMARC configuration? Use our free tool at DMARCtester.com to visualize and verify your domain's email authentication setup!